I have license for FTPSBlackbox client VCL edition and I'd like to use that to perform file encryption and decryption. I'll have an encrypted file (AES 256) on the disk, the application will read it into memory and decrypt it, write to it, then write it back to disk in encrypted format.

With the Eldos SBB package that I have, what is the best way to do this? I have multiple users using the same databases so I can't have the user enter a password, and I want the application to encrypt/decrypt automatically. I can either store the password securely and have the application retrieve it, or I can hardcode it into the application. I know that is not preferred, but the application is on a secure server with access via VPN given only to a small number of preapproved users. The likelihood of a legitimate user disassembling the exe file and discovering the password is nearly nil. Additionally, the data files are located on separate server with a secure connection between the two servers.

I'm hoping that you can provide information on this. If I run into problems with the implementation I'd like to use your custom services so I can get this resolved. Thank you.

In the simple cases you can use PKCS7/CMS encryption (see TElMessageEncryptor and TElMessageDecryptor classes) with a self-signed certificate (the same as the password, but the certificate embedded into the application resources and obfuscated is much harder to see in the code). The mentioned classes can be used with any license, i.e. your existing one will fit.

The question is, however, how it is expected for this data to be read. If it's read and written by only one instance of your application, and when the size of the data is relatively small (say under 1 Mb), then the above approach will work.

If you have larger amounts of data (eg. you want a large encrypted file to be accessed from different instances of your application), the task becomes a bit more complicated. The main problem is concurrent access and time needed to encrypt the data. Such task can be solved by using, for example, our Solid File System (Application edition if you have all file access in one running process and OS edition if several processes can access the data in parallel).

If you have a DBMS whose files you want to encrypt, then SolFS is *the* right approach.

The file is about 2 MB and there will be several concurrent users, but there are only 50 - 100 writes to the database over the course of the day by all users combined. Does this sound like an issue.

Also, how do I proceed with a formal request for you to incorporate the certificate work and encryption within a procedure, including instructions on how to obtain certificates on the server? Thank you again for your thoughtful answer.

Mark Naples wrote:
The file is about 2 MB and there will be several concurrent users, but there are only 50 - 100 writes to the database over the course of the day by all users combined. Does this sound like an issue.

If all changes go through the same process (i.e. running EXE), then this should not be a big issue once you ensure that the data is not read/written concurrently.

Quote

Mark Naples wrote:
Also, how do I proceed with a formal request for you to incorporate the certificate work and encryption within a procedure, including instructions on how to obtain certificates on the server?

Mark Naples wrote:
Thank you. You write "once you ensure that the data is not read/written concurrently." What method/code do I use to ensure this?

You use mechanisms like critical sections (see TCriticalSection class) to ensure that the code which accesses the data is executed in only one thread at the same time.

Quote

Mark Naples wrote:
Is there sample code using TElMessageEncryptor and TElMessageDecryptor showing how to encrypt/decrypt from file to stream and also saving/retrieving certificates for use in those processes?

Yes, you will find the sample in <SecureBlackbox>\Samples\Delphi\PKIBlackbox\PKCS7 folder.

Thank you. I do not have a PKCS7 folder but I do have a PKCS11 folder.

Can you provide a quotation to me for your developers to write an implementation of the TCriticalSection class and also the encryption/decryption and certificate assignment processes? I would rather have the experts do it than have me spend hours trying to learn what needs to be done.

Please let me know if you can provide this service. Thank you again for your prompt answers.

If you have older version of SecureBlackbox, the sample can be called MessagesDemo.

As for the service, - I am afraid this is not easy, and here's why -- I have described a tiny piece of code which would become an integral part of your application design. We can't develop a tiny piece without seeing how it will fit into the overall application. And learning this (together with you) will take more of your and our time, than it would take you to learn about TCriticalSection.

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.